The following functions may be used in the filter statement, as described in Filters.
Table 14: Filter functions available in syslog-ng PE
| facility() |
Filter messages based on the sending facility. |
| filter() |
Call another filter function. |
| host() |
Filter messages based on the sending host. |
| in-list() |
File-based whitelisting and blacklisting. |
| level() or priority() |
Filter messages based on their priority. |
| match() |
Use a regular expression to filter messages based on a specified header or content field. |
| message() |
Use a regular expression to filter messages based on their content. |
| netmask() and netmask6() |
Filter messages based on the IP address of the sending host. |
| program() |
Filter messages based on the sending application. |
| source() |
Select messages of the specified syslog-ng PE source statement. |
| tags() |
Select messages having the specified tag. |
| Synopsis: |
facility(<facility-name>) or facility(<facility-code>) or facility(<facility-name>..<facility-name>) |
Description: Match messages having one of the listed facility codes.
The facility() filter accepts both the name and the numerical code of the facility or the importance level. Facility codes 0-23 are predefined and can be referenced by their usual name. Facility codes above 24 are not defined.
You can use the facility filter the following ways:
-
Use a single facility name, for example, facility(user)
-
Use a single facility code, for example, facility(1)
-
Use a facility range (works only with facility names), for example, facility(local0..local5)
The syslog-ng application recognizes the following facilities: (Note that some of these facilities are available only on specific platforms.)
Table 15: syslog Message Facilities recognized by the facility() filter
| 0 |
kern |
kernel messages |
| 1 |
user |
user-level messages |
| 2 |
mail |
mail system |
| 3 |
daemon |
system daemons |
| 4 |
auth |
security/authorization messages |
| 5 |
syslog |
messages generated internally by syslogd |
| 6 |
lpr |
line printer subsystem |
| 7 |
news |
network news subsystem |
| 8 |
uucp |
UUCP subsystem |
| 9 |
cron |
clock daemon |
| 10 |
authpriv |
security/authorization messages |
| 11 |
ftp |
FTP daemon |
| 12 |
ntp |
NTP subsystem |
| 13 |
security |
log audit |
| 14 |
console |
log alert |
| 15 |
solaris-cron |
clock daemon |
| 16-23 |
local0..local7 |
locally used facilities (local0-local7) |
| Synopsis: |
filter(filtername) |
Description: Call another filter rule and evaluate its value. For example:
filter demo_filter { host("example") and match("deny" value("MESSAGE")) };
filter inverted_demo_filter { not filter(demo_filter) }
Description: Match messages by using a regular expression against the hostname field of log messages. Note that you can filter only on the actual content of the HOST field of the message (or what it was rewritten to). That is, syslog-ng PE will compare the filter expression to the content of the ${HOST} macro. This means that for the IP address of a host will not match, even if the IP address and the hostname field refers to the same host. To filter on IP addresses, use the netmask() filter.
filter demo_filter { host("example") };
